New

The executive guide to generative AI

Read more

AWS IAM Password Recovery Requested

edit

Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-aws*

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Use Case: Identity and Access Audit
  • Tactic: Initial Access

Version: 103

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback